CIS policy audit flags ossec ossecm ossecr sharing a home directory
86 views
Skip to first unread message
Peter
Aug 25, 2020, 10:11:07 PM8/25/20
to ossec-list
I also posted this question in Reddit
When we run a CIS policy scan on a Linux server running Ossec, it complains that the three users ossec, ossecm, ossecr all share the home directory /var/ossec.
Does anyone have a recommendation on the importance of this finding, whether it is OK to ignore, or possible to remediate?
I realize you may need more context to make a recommendation, but if not, please do.
thanks
Sandra Ocando
Aug 26, 2020, 8:11:27 AM8/26/20
to ossec-list
Hi Peter,
These three users allow the ossec processes to be executed with limited privileges and chrooted to directories to ensure the highest privileges separation that would allow them to fulfill their function.
Depending on the specific CIS benchmark you are running, and the policy which is warning about this the rational may vary, but for example on the Distribution Independent Benchmark version 2.0.0 policy 6.2.9: "Ensure users own their home directories" will complain because /var/ossec is the folder for these three system users but the folder is owned by root.
The rationale for this check is that each user should be accountable for the files in their home directory, however, given that root privileges are necessary for enacting changes within these folders, the policy may be ignored.
Let me know if this answers your question, if not let us know which is the policy that is being triggered.
Best Regards,
Sandra
These three users allow the ossec processes to be executed with limited privileges and chrooted to directories to ensure the highest privileges separation that would allow them to fulfill their function.
Depending on the specific CIS benchmark you are running, and the policy which is warning about this the rational may vary, but for example on the Distribution Independent Benchmark version 2.0.0 policy 6.2.9: "Ensure users own their home directories" will complain because /var/ossec is the folder for these three system users but the folder is owned by root.
The rationale for this check is that each user should be accountable for the files in their home directory, however, given that root privileges are necessary for enacting changes within these folders, the policy may be ignored.
Let me know if this answers your question, if not let us know which is the policy that is being triggered.
Best Regards,
Sandra
Reply all
Reply to author
Forward
0 new messages